Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: December 2017

How to Create New Device Authorizations

If a device does not require an authorization, then, by default, all users can use the device. If an authorization is required, then only authorized users can use the device.

To deny all access to an allocatable device, see Example 52, Preventing Remote Allocation of the Audio Device. To create and use a new authorization, see Example 54, Creating and Assigning Trusted Path and Non-Trusted Path Device Authorizations.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. (Optional)Create a help file for each new device authorization.

    Help files are in HTML format. The naming convention is AuthName.html, as in DeviceAllocateCD.html.

  2. Create the device authorizations.
    # auths add -t "Authorization description" -h /full/path/to/helpfile.html authorization-name
  3. Add the new authorizations to the appropriate rights profiles.
    # profiles rights-profile
    profiles:rights-profile > add auths="authorization-name"...
  4. Assign the profiles to users and roles.
    # usermod -P "rights-profile" username
    # rolemod -P "rights-profile" rolename
  5. Use the authorizations to restrict access to selected devices.

    Add the new authorizations to the list of required authorizations in the Device Manager. For the procedure, see How to Add Site-Specific Authorizations to a Device in Trusted Extensions.

Example 53  Creating Fine-Grained Device Authorizations

In this example, a security administrator for NewCo needs to construct fine-grained device authorizations for the company.

First, the administrator creates the following help files:


Next, the administrator creates a template help file from which the other help files are copied and modified.

-- Copyright 2012 Newco.  All rights reserved.
-- NewcoDevAllocateCDVD.html
<TITLE>Newco Allocate CD or DVD Authorization</TITLE>
The com.newco.dev.allocate.cdvd authorization enables you to allocate the
CD drive on your system for your exclusive use.
The use of this authorization by a user other than the authorized account
is a security violation.

After creating the help files, the administrator uses the auths command to create each device authorization. Because the authorizations are used throughout the company, the administrator places the authorizations in the LDAP repository. The command includes the pathname to the help files.

    The administrator creates two device authorizations and a Newco authorization header.

  • One authorization authorizes the user to allocate a CD-ROM or DVD drive.

    # auths add -S ldap -t "Allocate CD or DVD" \
      -h /docs/helps/NewcoDevAllocateCDVD.html com.newco.dev.allocate.cdvd
  • One authorization authorizes the user to allocate a USB device.

    # auths add -S ldap -t "Allocate USB" \
      -h /docs/helps/NewcoDevAllocateUSB.html com.newco.dev.allocate.usb
  • The Newco authorization header identifies all Newco authorizations.

    # auths add -S ldap -t "Newco Auth Header" \
      -h /docs/helps/Newco.html com.newco
Example 54  Creating and Assigning Trusted Path and Non-Trusted Path Device Authorizations

By default, the Allocate Devices authorization enables allocation from the Trusted Path and from outside the Trusted Path.

In the following example, site security policy requires restricting remote CD-ROM and DVD allocation. The security administrator creates the com.newco.dev.allocate.cdvd.local authorization. This authorization is for CD-ROM and DVD drives that are allocated with the Trusted Path. The com.newco.dev.allocate.cdvd.remote authorization is for those few users who are allowed to allocate a CD-ROM or DVD drive outside the Trusted Path.

    The security administrator creates the help files, adds the device authorizations to the auth_attr database, adds the authorizations to the devices, and then places the authorizations in rights profiles. The root role assigns the profiles to users who are allowed to allocate devices.

  • The following commands add the device authorizations to the auth_attr database:

    # auths add -S ldap -t "Allocate Local DVD or CD" \
      -h /docs/helps/NewcoDevAllocateCDVDLocal.html \
    # auths add -S ldap -t "Allocate Remote DVD or CD" \
      -h /docs/helps/NewcoDevAllocateCDVDRemote.html \
  • The following shows the Device Manager assignment:

    Local allocation of the CD-ROM drive is protected by the Trusted Path.

    Device Name: cdrom_0
    For Allocations From: Trusted Path
    Allocatable By: Authorized Users
    Authorizations: com.newco.dev.allocate.cdvd.local

    Remote allocation is not protected by the Trusted Path, therefore, remote users must be trustworthy. In the final step, the administrator will authorize remote allocation for two roles only.

    Device Name: cdrom_0
    For Allocations From: Non-Trusted Path
    Allocatable By: Authorized Users
    Authorizations: com.newco.dev.allocate.cdvd.remote
  • The following commands create the Newco rights profiles for these authorizations and add the authorizations to the profiles:

    # profiles -S ldap "Remote Allocator"
    profiles:Remote Allocator > set desc="Allocate Remote CDs and DVDs"
    profiles:Remote Allocator > set help="/docs/helps/NewcoDevRemoteCDVD.html"
    profiles:Remote Allocator > add auths="com.newco.dev.allocate.cdvd.remote"
    profiles:Remote Allocator > end
    profiles:Remote Allocator > exit
    # profiles -S ldap "Local Only Allocator"
    profiles:Local Only Allocator > set desc="Allocate Local CDs and DVDs"
    profiles:Local Only Allocator > set help="/docs/helps/NewcoDevLocalCDVD.html"
    profiles:Local Only Allocator > add auths="com.newco.dev.allocate.cdvd.local"
    profiles:Local Only Allocator > end
    profiles:Local Only Allocator > exit
  • The following commands assign the rights profiles to authorized users. The root role assigns the profiles. At this site, only roles are authorized to remotely allocate peripheral devices.

    # usermod -P "Local Only Allocator" jdoe
    # usermod -P "Local Only Allocator" kdoe
    # rolemod -P "Remote Allocator" secadmin
    # rolemod -P "Remote Allocator" sysadmin